return ldb_handler_copy(ldb, mem_ctx, in, out);
}
+
+/*
+ convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob
+*/
+static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out)
+{
+ struct security_descriptor *sd;
+ NTSTATUS status;
+ const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
+ if (domain_sid == NULL) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+ sd = sddl_decode(mem_ctx, (const char *)in->data, domain_sid);
+ if (sd == NULL) {
+ return -1;
+ }
+ status = ndr_push_struct_blob(out, mem_ctx, sd,
+ (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+ talloc_free(sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format)
+*/
+static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out)
+{
+ struct security_descriptor *sd;
+ NTSTATUS status;
+ const struct dom_sid *domain_sid = samdb_domain_sid(ldb);
+
+ if (domain_sid == NULL) {
+ return ldb_handler_copy(ldb, mem_ctx, in, out);
+ }
+
+ sd = talloc(mem_ctx, struct security_descriptor);
+ if (sd == NULL) {
+ return -1;
+ }
+ status = ndr_pull_struct_blob(in, sd, sd,
+ (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(sd);
+ return -1;
+ }
+ out->data = (uint8_t *)sddl_encode(mem_ctx, sd, domain_sid);
+ talloc_free(sd);
+ if (out->data == NULL) {
+ return -1;
+ }
+ out->length = strlen((const char *)out->data);
+ return 0;
+}
+
static const struct ldb_attrib_handler samba_handlers[] = {
{
.attr = "objectSid",
.canonicalise_fn = ldb_canonicalise_objectSid,
.comparison_fn = ldb_comparison_objectSid
},
+ {
+ .attr = "ntSecurityDescriptor",
+ .flags = 0,
+ .ldif_read_fn = ldif_read_ntSecurityDescriptor,
+ .ldif_write_fn = ldif_write_ntSecurityDescriptor,
+ .canonicalise_fn = ldb_handler_copy,
+ .comparison_fn = ldb_comparison_binary
+ },
{
.attr = "objectGUID",
.flags = 0,
It can either be a special 2 letter code, or in S-* format
*/
static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp,
- struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid)
{
const char *sddl = (*sddlp);
int i;
note that this routine modifies the string
*/
static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str,
- struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid)
{
const char *tok[6];
const char *s;
*/
static struct security_acl *sddl_decode_acl(struct security_descriptor *sd,
const char **sddlp, uint32_t *flags,
- struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid)
{
const char *sddl = *sddlp;
struct security_acl *acl;
decode a security descriptor in SDDL format
*/
struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl,
- struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid)
{
struct security_descriptor *sd;
sd = talloc_zero(mem_ctx, struct security_descriptor);
encode a sid in SDDL format
*/
static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
- struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid)
{
int i;
char *sidstr;
encode an ACE in SDDL format
*/
static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace,
- struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid)
{
char *sddl;
TALLOC_CTX *tmp_ctx;
encode an ACL in SDDL format
*/
static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl,
- uint32_t flags, struct dom_sid *domain_sid)
+ uint32_t flags, const struct dom_sid *domain_sid)
{
char *sddl;
int i;
encode a security descriptor to SDDL format
*/
char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd,
- struct dom_sid *domain_sid)
+ const struct dom_sid *domain_sid)
{
char *sddl;
TALLOC_CTX *tmp_ctx;
return False;
}
+#if 0
+ /* flags don't have a canonical order ... */
+ if (strcmp(sddl, sddl2) != 0) {
+ printf("Failed sddl equality test\norig: %s\n new: %s\n", sddl, sddl2);
+ }
+#endif
+
if (DEBUGLVL(2)) {
NDR_PRINT_DEBUG(security_descriptor, sd);
}